1. Environment Variables
Most container configuration can be accomplished by setting environment variables for the instantiated container. The details for how to set environment variables for a container depend on the orchestration engine you use (e.g. docker run, Docker Compose, Docker Swarm, Kubernetes, ...) and full details are beyond the scope of this documentation.
1.1. Secrets
Registry containers support the convention of an associated environment variable ending with _FILE
to indicate a path relative to the container from which the value for an environment variable should be read.
For example if the environment variable COMANAGE_REGISTRY_DATABASE_USER_PASSWORD_FILE
exists and its value is the path to a readable file, then the contents of the file will be read into the environment variable COMANAGE_REGISTRY_DATABASE_USER_PASSWORD
.
If both an environment variable and the associated _FILE
environment variable are defined the associated _FILE
environment variable takes precedence, provided that the file it points to exists and is readable.
1.2. Shibboleth SP Configuration
Most Registry deployers using SAML SSO for authentication do so in a multi-lateral federated identity context. A production-ready Shibboleth SP configuration for multi-lateral federation requires many edits to the default template files provided by the Shibboleth SP software.
For this reason, while the image allows some Shibboleth SP configurations to be directly injected using environment variables (see the table below), most deployers prepare production-ready Shibboleth SP configuration files and then either bind mount the files into the container at run time using the slashRoot mechanism, or build a custom container image using the project image as a base and COPY the necessary Shibboleth SP configuration files with local deployment details into the directory /etc/shibboleth/
.
To facilitate this approach the image includes the standard example and template configuration files experienced Shibboleth SP deployers expect to find.
1.3. mod_auth_openidc Configuration
Most configuration details for the mod_auth_openidc module may be configured using environment variables (see below). Deployers that require additional configuration flexibility must bind mount the files into the container at run time using the slashRoot mechanism, or build a custom container image using the project image as a base and COPY the necessary file into place. See the mod_auth_openidc example for the full set of configuration options.
1.4. Table of All Environment Variables
Variable | Description | Required | Default | Example | Notes |
---|---|---|---|---|---|
COMANAGE_REGISTRY_ADMIN_GIVEN_NAME | Given name for first platform administrator | Yes | Registry | Julia | The environment variable is read the first time the container is started and saved to the COmanage Registry database. Later changes to the environment variable are not reflected in the database state. |
COMANAGE_REGISTRY_ADMIN_FAMILY_NAME | Family name for first platform administrator | Yes | Admin | Janssen | The environment variable is read the first time the container is started and saved to the COmanage Registry database. Later changes to the environment variable are not reflected in the database state. |
COMANAGE_REGISTRY_ADMIN_USERNAME | Username name for first platform administrator | Yes | registry.admin | julia.janseen@my.org | When integrating with a single sign-on (SSO) system, this is the value the SSO infrastructure (SAML or OIDC) will set for the Apache REMOTE_USER CGI environment variable for the first platform administrator. The value is often an eduPersonPrincipalName (ePPN) or OIDC sub claim. The environment variable is read the first time the container is started and saved to the COmanage Registry database. Later changes to the environment variable are not reflected in the database state. |
COMANAGE_REGISTRY_CRON_USER | User that runs the cron job when using the cron image | No | www-data | someuid | Used by the cron container only. The crontab file is installed using the command /usr/bin/crontab and the -u flag with the value for this environment variable or the default value if not defined. |
COMANAGE_REGISTRY_CRONTAB | Full path to the crontab file | No | /srv/comanage-registry/local/crontab | /opt/crontab | Used by the cron container only. See this example crontab file. |
COMANAGE_REGISTRY_DATASOURCE | Database type, one of Database/Postgres or Database/Mysql | Yes | Database/Postgres | Database/Mysql | MariaDB users should use Database/Mysql. The environment variable is read when the container starts and written to the configuration file database.php inside the container only if the file does not already exist, either because it has been mounted using a persistent volume (or bind mount) or has been added when using the image as a base to build a new image. |
COMANAGE_REGISTRY_DATABASE | Database name | Yes | registry | comanage_registry | The environment variable is read when the container starts and written to the configuration file database.php inside the container only if the file does not already exist, either because it has been mounted using a persistent volume (or bind mount) or has been added when using the image as a base to build a new image. |
COMANAGE_REGISTRY_DATABASE_HOST | Database server host | Yes | comanage-registry-database | database-server.my.org | The environment variable is read when the container starts and written to the configuration file database.php inside the container only if the file does not already exist, either because it has been mounted using a persistent volume (or bind mount) or has been added when using the image as a base to build a new image. |
COMANAGE_REGISTRY_DATABASE_PORT | Database server port | No | unset | 5433 | If unset the container uses the default port for the database type (5432 for Postgres and 3306 for MySQL/MariaDB). The environment variable is read when the container starts and written to the configuration file database.php inside the container only if the file does not already exist, either because it has been mounted using a persistent volume (or bind mount) or has been added when using the image as a base to build a new image. |
COMANAGE_REGISTRY_DATABASE_POSTGRES_SSLMODE | sslmode configuration for PostgreSQL | No | unset | require | One of disable, allow, prefer, require, verify-ca, verify-full. See the PostgreSQL Database Connection Control Functions . When set to one of the strings noted above the database configuration file will include 'sslmode' => '<value>'. The CakePHP ORM layer will in turn include this in the PDO_PGSQL DSN. You probably want "require". |
COMANAGE_REGISTRY_DATABASE_USER | Database username | Yes | registry_user | comanage-user | The environment variable is read when the container starts and written to the configuration file database.php inside the container only if the file does not already exist, either because it has been mounted using a persistent volume (or bind mount) or has been added when using the image as a base to build a new image. |
COMANAGE_REGISTRY_DATABASE_USER_PASSWORD | Database user password | Yes | password | O5Yhtt6TLOxNjo93fmB9 | The environment variable is read when the container starts and written to the configuration file database.php inside the container only if the file does not already exist, either because it has been mounted using a persistent volume (or bind mount) or has been added when using the image as a base to build a new image. |
COMANAGE_REGISTRY_EMAIL_FROM_EMAIL | Default email "From" for emails sent by Registry. This is the email part of the sender array. | Yes | you@localhost | registry@my.org | The name part of the sender array is specified using COMANAGE_REGISTRY_EMAIL_FROM_NAME. When used together the resulting PHP is
The environment variable is read when the container starts and written to the configuration file |
COMANAGE_REGISTRY_EMAIL_FROM_NAME | Default email "From" for emails sent by COmanage Registry. This is the name part of the sender array. | Yes | unset | Registry | The email part of the sender array is specified using COMANAGE_REGISTRY_EMAIL_FROM_EMAIL. When used together the resulting PHP is
The environment variable is read when the container starts and written to the configuration file |
COMANAGE_REGISTRY_EMAIL_TRANSPORT | Email transport | No | unset | Smtp | The environment variable is read when the container starts and written to the configuration file email.php if the file does not already exist, either because it has been mounted using a persistent volume (or bind mount) or has been added when using the image as a base to build a new image.This is a CakePHP email configuration value. |
COMANAGE_REGISTRY_EMAIL_HOST | Email server host | No | unset | tls://smtp.gmail.com | The environment variable is read when the container starts and written to the configuration file email.php if the file does not already exist, either because it has been mounted using a persistent volume (or bind mount) or has been added when using the image as a base to build a new image.This is a CakePHP email configuration value. |
COMANAGE_REGISTRY_EMAIL_PORT | Email server port | No | unset | 465 | The environment variable is read when the container starts and written to the configuration file email.php if the file does not already exist, either because it has been mounted using a persistent volume (or bind mount) or has been added when using the image as a base to build a new image.This is a CakePHP email configuration value. |
COMANAGE_REGISTRY_EMAIL_ACCOUNT | Email server account | No | unset | registry-smtp@my.org | The environment variable is read when the container starts and written to the configuration file email.php if the file does not already exist, either because it has been mounted using a persistent volume (or bind mount) or has been added when using the image as a base to build a new image.This is a CakePHP email configuration value. |
COMANAGE_REGISTRY_EMAIL_ACCOUNT_PASSWORD | Email server account password | No | unset | Sw5x71ToBHBEr4VqpRxD | The environment variable is read when the container starts and written to the configuration file email.php if the file does not already exist, either because it has been mounted using a persistent volume (or bind mount) or has been added when using the image as a base to build a new image.This is a CakePHP email configuration value. |
COMANAGE_REGISTRY_ENABLE_PLUGIN | Comma separated list of non-core plugins to enable | No | unset | IdentifierEnroller,LdapIdentifierValidator, LdapSource | |
COMANAGE_REGISTRY_HTTP_LISTEN_PORT | Apache HTTP Server listening port for HTTP (no TLS) traffic | No | 80 | 8080 | This environment variable only configures the listening port for HTTP (no TLS) traffic. See COMANAGE_REGISTRY_HTTPS_LISTEN_PORT for configuring HTTPS (with TLS) traffic. |
COMANAGE_REGISTRY_HTTP_NO | Do not listen for HTTP (no TLS) traffic | No | unset | 1 | When set to any value the Apache HTTP Server will not listen for HTTP (no TLS) traffic. |
COMANAGE_REGISTRY_HTTPS_LISTEN_PORT | Apache HTTP Server listening port for HTTPS (with TLS) traffic | No | 443 | 8443 | This environment variable only configures the listening port for HTTPS (with TLS) traffic. See COMANAGE_REGISTRY_HTTP_LISTEN_PORT for configuring HTTPS (no TLS) traffic. |
COMANAGE_REGISTRY_HTTPS_NO | Do not listen for HTTPS (with TLS) traffic | No | unset | 1 | When set to any value the Apache HTTP Server will not listen for HTTPS (with TLS) traffic. |
COMANAGE_REGISTRY_OIDC_AUTH_REQUEST_PARAMS | Add additional query string parameters to the OIDC authentication request to the OP | No | unset | idphint=http%3A%2F%2Forcid.org%2Foauth%2Fauthorize | The value is used with the mod_auth_openidc configuration parameter OIDCAuthRequestParams. |
COMANAGE_REGISTRY_OIDC_CLIENT_ID | OIDC client ID | Yes when using mod_auth_openidc authentication, No otherwise | unset | cilogon:/client_id/7c1f02f06ab959a9400ecd1e907173 | The value is used with the mod_auth_openidc configuration parameter OIDCClientID. |
COMANAGE_REGISTRY_OIDC_CLIENT_SECRET | OIDC client secret | Yes when using mod_auth_openidc authentication, No otherwise | unset | PuE4eIqsvIZ66vt | The value is used with the mod_auth_openidc configuration parameter OIDCClientSecret. |
COMANAGE_REGISTRY_OIDC_CRYPTO_PASSPHRASE | Password to use when encrypting OIDC state cookie | Yes when using mod_auth_openidc authentication, No otherwise | unset | s6r9GfwAXV00a2TKMaV2 | The value is used with the mod_auth_openidc configuration parameter OIDCCryptoPassphrase. |
COMANAGE_REGISTRY_OIDC_FORWARD_HEADERS | Forward standard proxy headers when using OIDC | No | unset | 1 | When set the mod_auth_openidc configuration parameter OIDCXForwardedHeaders is set to X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto. |
COMANAGE_REGISTRY_OIDC_PROVIDER_METADATA_URL | OIDC OP metadata URL | No, but if not set all other OP configuration must be injected using other mechanisms | unset | https://cilogon.org/.well-known/openid-configuration | The value is used with the mod_auth_openidc configuration parameter OIDCProviderMetadataURL. |
COMANAGE_REGISTRY_OIDC_REMOTE_USER_CLAIM | OIDC claim to write into REMOTE_USER | No | sub | eppn | The value is used with the mod_auth_openidc configuration parameter OIDCRemoteUserClaim. |
COMANAGE_REGISTRY_OIDC_SCOPES | OIDC scopes to request | No | openid | openid email profile | The list of scopes should be space delimited. The value is used with the mod_auth_openidc configuration parameter OIDCScope. |
COMANAGE_REGISTRY_OIDC_SESSION_INACTIVITY_TIMEOUT | OIDC session inactivity timeout in seconds | No | unset | 3600 | The value is used with the mod_auth_openidc configuration parameter OIDCSessionInactivityTimeout. |
COMANAGE_REGISTRY_OIDC_SESSION_MAX_DURATION | OIDC session maximum duration in seconds | No | unset | 28800 | The value is used with the mod_auth_openidc configuration parameter OIDCSessionMaxDuration. |
COMANAGE_REGISTRY_NO_DATABASE_CONFIG | Do not write a database configuration file | No | unset | 1 | If the environment variable is set to any value then the entrypoint script will not attempt to write the database configuration file database.php . This environment variable is often used with the comanage-registry-cron image when it shares a bind mounted directory with the COmanage Registry image. |
COMANAGE_REGISTRY_NO_EMAIL_CONFIG | Do not write an email configuration file | No | unset | 1 | If the environment variable is set to any value then the entrypoint script will not attempt to write the email configuration file email.php . This environment variable is often used with the comanage-registry-cron image when it shares a bind mounted directory with the COmanage Registry image. |
COMANAGE_REGISTRY_REMOTE_IP | Enable the Apache HTTP Server mod_remoteip module | No | unset | 1 | When set the mod_remoteip module is enabled and the configuration parameter RemoteIPHeader is set to X-Forwarded-For unless otherwise overridden using COMANAGE_REGISTRY_REMOTE_IP_HEADER. This is often used when proxying the container so that the actual client IP address is logged. |
COMANAGE_REGISTRY_REMOTE_IP_HEADER | Declare the header field which should be parsed for useragent IP addresses | No | X-Forwarded-For | X-Client-IP | The value is used with the mod_remoteip module configuration parameter RemoteIPHeader. |
COMANAGE_REGISTRY_REMOTE_IP_INTERNAL_PROXY | Declare client intranet IP addresses trusted to present the RemoteIPHeader value | No | unset | 10.0.2.0/24 | The value is used with the mod_remoteip module configuration parameter RemoteIPInternalProxy. |
COMANAGE_REGISTRY_REMOTE_IP_INTERNAL_PROXY_LIST | Declare client intranet IP addresses trusted to present the RemoteIPHeader value from a file | No | unset | /etc/apache2/my_proxy_list | The value is used with the mod_remoteip module configuration parameter RemoteIPInternalProxyList. The file must be injected into the container using some mechanism. |
COMANAGE_REGISTRY_REMOTE_IP_PROXIES_HEADER | Declare the header field which will record all intermediate IP addresses | No | unset | X-Forwarded-By | The value is used with the mod_remoteip module configuration parameter RemoteIPProxiesHeader. |
COMANAGE_REGISTRY_REMOTE_IP_PROXY_PROTOCOL | Enable or disable PROXY protocol handling | No | unset | On | The value is used with the mod_remoteip module configuration parameter RemoteIPProxyProtocol. |
COMANAGE_REGISTRY_REMOTE_IP_PROXY_PROTOCOL_EXCEPTIONS | Disable processing of PROXY header for certain hosts or networks | No | unset | 10.0.2.1/32 | The value is used with the mod_remoteip module configuration parameter RemoteIPProxyProtocolExceptions. |
COMANAGE_REGISTRY_REMOTE_IP_TRUSTED_PROXY | Declare client intranet IP addresses trusted to present the RemoteIPHeader value | No | unset | proxy.example.com | The value is used with the mod_remoteip module configuration parameter RemoteIPTrustedProxy. |
COMANAGE_REGISTRY_REMOTE_IP_TRUSTED_PROXY_LIST | Declare client intranet IP addresses trusted to present the RemoteIPHeader value from a file | No | unset | /etc/apache2/my_proxy_list | The value is used with the mod_remoteip module configuration parameter RemoteIPTrustedProxyList. The file must be injected into the container using some mechanism. |
COMANAGE_REGISTRY_SECURITY_SALT | Security salt used when hashing. Must be 40 or more characters from the set [0-9a-zA-Z] | No | automatically generated if not provided | VuUq2mnXC0Cco8uKcjO1rDdP2lVC3lgP970QP2XY | If present the environment variable is read the first time the container is started and written to the persistent volume (or bind mount) in the configuration file security.salt . Later changes to the environment variable are not reflected in the file which must be edited directly. If not using a persistent volume or bind mount or otherwise providing the file security.salt then you must configure this environment variable in order that the same value persists between container restarts. |
COMANAGE_REGISTRY_SECURITY_SEED | Security seed used for encrypt/decrypt. Must be 30 or more numerical digits | No | automatically generated if not provided | 47072649794709969916818407654 | If present the environment variable is read the first time the container is started and written to the persistent volume (or bind mount) in the configuration file security.seed . Later changes to the environment variable are not reflected in the file which must be edited directly. If not using a persistent volume or bind mount or otherwise providing the file security.seed then you must configure this environment variable in order that the same value persists between container restarts. |
COMANAGE_REGISTRY_PHP_SESSION_REDIS_URL | URL for Redis server to use for storing PHP sessions | No | unset |
| The value is set in the php.ini file for the configuration parameter session.save_path. The value for the configuration parameter save_handler is set to redis. See the PhpRedis extension documentation for details. |
COMANAGE_REGISTRY_SKIP_SETUP | Do not run the database setup command | No | unset | 1 | When set the container will not execute the database setup command. |
COMANAGE_REGISTRY_SKIP_UPGRADE | Do not run the upgrade command | No | unset | 1 | When set the container will not execute the upgrade command. This can aid in faster container start times. |
COMANAGE_REGISTRY_SLASH_ROOT_DIRECTORY | Directory to use for copying configuration files into the container based on a "root like" directory structure | No | /opt/registry/slashRoot | /srv/root | When set and the directory exists files will be copied from the directory into the image using the GNU cp command with the --preserve=all and --parents options. |
COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN | Apache HTTP Server virtual host name | No | Obtained from inspecting HTTPS x509 certificate file if present, otherwise "unknown" | registry.my.org | |
COMANAGE_REGISTRY_VIRTUAL_HOST_REDIRECT_HTTP_NO | Do not redirect HTTP to HTTPS | No | unset | 1 | When set the Apache HTTP Server will not be configured to redirect HTTP traffic to HTTPS. |
COMANAGE_REGISTRY_VIRTUAL_HOST_PORT | Apache HTTP Server virtual host port | No | 80 for HTTP and 443 for HTTPS | 443 | Used to construct the Apache HTTP Server ServerName configuration parameter. This is most often used when proxying the container in order to override the actual port used behind the proxy. This does not set the actual listening port and is only used to configure ServerName, which is used by the Apache HTTP Server and its modules to construct self-referential URLs. To configure the actual listening ports see COMANAGE_REGISTRY_HTTP_LISTEN_PORT and COMANAGE_REGISTRY_HTTPS_LISTEN_PORT. |
COMANAGE_REGISTRY_VIRTUAL_HOST_SCHEME | Apache HTTP Server virtual host scheme | No | http for HTTP listening port and https for HTTPS listening port | https | Used to construct the Apache HTTP Server ServerName configuration parameter. This is most often used when proxying the container in order to override the actual scheme used behind the proxy. |
HTTPS_CERT_FILE | path to file containing x509 certificate for HTTPS | No | automatically generated self-signed certificate | /run/secrets/https_cert_file | The path is relative to the running container. The file should include the PEM format X.509 certificate and any intermediate signing CA certificates. |
HTTPS_PRIVKEY_FILE | path to file containing x509 private key for HTTPS | No | automatically generated private key | /run/secrets/https_privkey_file | The path is relative to the running container. |
PHP_IMAGE_VERSION | |||||
SHIBBOLETH_SP_ENCRYPT_CERT | PEM encoded X.509 certificate used for encrypting assertions to be sent to and consumed by the SP | Yes when using Shibboleth SP authentication, No otherwise | image default not suitable for production use | sp-encrypt-cert.pem | Many deployers start a container without specifying the variable and then break into the running container and use the /etc/shibboleth/keygen.sh script to generate the persistent cert and private key pair and copy them out of the container. Later after escrowing the cert and private key they are injected into the container using the variable(s). |
SHIBBOLETH_SP_ENCRYPT_PRIVKEY | Private key associated with the PEM encoded X.509 certificate used for encrypting assertions to be sent to and consumed by the SP | Yes when using Shibboleth SP authentication, No otherwise | image default not suitable for production use | sp-encrypt-key.pem | Many deployers start a container without specifying the variable and then break into the running container and use the /etc/shibboleth/keygen.sh script to generate the persistent cert and private key pair and copy them out of the container. Later after escrowing the cert and private key they are injected into the container using the variable(s). |
SHIBBOLETH_SP_ENTITY_ID | SAML entityID for the SP | Yes when using Shibboleth SP authentication, No otherwise | image default not suitable for production use | https://myapp.my.org/shibboleth/sp | |
SHIBBOLETH_SP_METADATA_PROVIDER_XML | XML stanza for configuring Shibboleth SP metadata consumption | Yes when using Shibboleth SP authentication, No otherwise | image default not suitable for production use | See the Shibboleth SP documentation on Metadata configuration. | Due to the complex syntax which makes escaping some characters tedious, most deployers write the configuration into a file, bind mount or COPY the file into the image, and specify the variable SHIBBOLETH_SP_METADATA_PROVIDER_XML_FILE to point to the location of the file relative to the running container. |
SHIBBOLETH_SP_SAMLDS_URL | URL for SAML IdP Discovery Service | Yes when using Shibboleth SP authentication, No otherwise | image default not suitable for production use | https://login-chooser.my.org/ | |
SHIBBOLETH_SP_SIGNING_CERT | PEM encoded X.509 certificate used by the SP for signing authentication requests | Yes when using Shibboleth SP authentication, No otherwise | image default not suitable for production use | sp-signing-cert.pem | Many deployers start a container without specifying the variable and then break into the running container and use the /etc/shibboleth/keygen.sh script to generate the persistent cert and private key pair and copy them out of the container. Later after escrowing the cert and private key they are injected into the container using the variable(s). |
SHIBBOLETH_SP_SIGNING_PRIVKEY | Private key associated with the PEM encoded X.509 certificate used by the SP for signing authentication requests | Yes when using Shibboleth SP authentication, No otherwise | image default not suitable for production use | sp-signing-key.pem | Many deployers start a container without specifying the variable and then break into the running container and use the /etc/shibboleth/keygen.sh script to generate the persistent cert and private key pair and copy them out of the container. Later after escrowing the cert and private key they are injected into the container using the variable(s). |
2. Overlaying Files
Most container configuration can be accomplished by setting environment variables for the instantiated container. See the sections above for details.
When a configuration environment variable is not available or more flexibility is needed to support advanced configurations, files may be overlayed in one of three different ways:
2.1. slashRoot mechanism
When the image is instantiated as a container the entrypoint script inspects the container's file system for the presence of a directory colloquially known as "slash Root" or slashRoot. The default directory is /opt/registry/slashRoot.
If the entrypoint script finds the slashRoot directory it copies the files found under that directory to the location in the image indicated by the path of the file relative to the slashRoot directory.
For example, if the file /opt/registry/slashRoot/etc/shibboleth/shibboleth2.xml exists then the entrypoint script will copy that file to /etc/shibboleth/shibboleth2.xml. Likewise, if the file /opt/registry/slashRoot/etc/apache2/ports.conf exists then the entrypoint script will copy that file to /etc/apache2/ports.conf.
The location of the slashRoot directory may be configured using the COMANAGE_REGISTRY_SLASH_ROOT_DIRECTORY environment variable. See above.
The entrypoint script copies files from slashRoot before most other environment variables are processed, so any configuration details set using environment variables will override those in files copied using this mechanism.
Deployers must take care to set both the file ownership and permissions correctly. See below details on the expected ownership and permissions for commonly overlaid files.
The precise mechanism used by the entrypoint script to copy the files is a combination of the GNU xargs and cp commands with the --preserve=all, --parents, and --no-dereference options.
2.2. Bind mounting individual files
Deployers may wish to overlay individual files by bind mounting rather than using the slashRoot mechanism. See below for an incomplete list of files in the image that may be overlayed.
Deployers must take care to set both the file ownership and permissions correctly. See below details on the expected ownership and permissions for commonly overlaid files.
2.3. Build a new image and COPYing in the configuration files
The images are designed so that each may be used as the base for a new image with necessary customizations provided by using a customized Dockerfile (or similar) and the COPY command to overlay specific files.
Image builders must take care to set both the file ownership and permissions correctly. See below details on the expected ownership and permissions for commonly overlaid files.
2.4. Configuration file paths
2.4.1. Registry
Path | Description | UID | Permission Octal | Example |
---|---|---|---|---|
/srv/comanage-registry/ | Registry PHP application top-level directory | 33 | 0755 | |
/srv/comanage-registry/local/Config/database.php | Database connection configuration | 33 | 0600 | Example |
/srv/comanage-registry/local/Config/email.php | Email configuration | 33 | 0600 | Example |
/srv/comanage-registry/local/Config/security.salt | Security salt file | 33 | 0600 | 6fHzSa2ps1bzyseXbJ7TKcHowXsR9dyIUV0XSuA4 |
/srv/comanage-registry/local/Config/security.seed | Security seed file | 33 | 0600 | 694812053204336881869880217405 |
/srv/comanage-registry/local/Plugin/ | Registry custom plugin directory | 33 | 0755 | /srv/comanage-registry/local/Plugin/FooEnroller |
/srv/comanage-registry/local/webroot/ | Registry webroot directory for additional css, images, and other web file injection | 33 | 0755 | /srv/comanage-registry/local/webroot/img/mylogo.png |
2.4.2. Apache HTTP Server
Path | Description | UID | Permission Octal | Example | Notes |
---|---|---|---|---|---|
/etc/apache2/cert.pem | X.509 certificate for HTTPS | 33 | 0644 | PEM format including all intermediate CA certificates | |
/etc/apache2/privkey.pem | matching private key for HTTPS | 33 | 0600 | PEM format | |
/etc/apache2/sites-available/000-comanage.conf | HTTP Server virtual host configuration | 33 | 0644 | Details differ depending on authentication mechanism. See below. | |
/etc/apache2/ports.conf | HTTP Server listening port configuration | 33 | 0644 | Default are ports 80 and 443 |
2.4.3. Authentication
2.4.3.1. Basic Authentication
Path | Description | UID | Permission Octal | Example | Notes |
---|---|---|---|---|---|
/etc/apache2/basic-auth | basic authentication password file | 33 | 0600 | Example | |
/etc/apache2/sites-available/000-comanage.conf | HTTP Server virtual host configuration | 33 | 0644 |
2.4.3.2. mod_auth_openidc
Path | Description | UID | Permission Octal | Example | Notes |
---|---|---|---|---|---|
/etc/apache2/sites-available/000-comanage.conf | HTTP Server virtual host configuration | 33 | 0644 |
2.4.3.3. Shibboleth SP
Path | Description | UID | Permission Octal | Example | Notes |
---|---|---|---|---|---|
/etc/apache2/sites-available/000-comanage.conf | HTTP Server virtual host configuration | 33 | 0644 | ||
/etc/shibboleth/ | Shibboleth SP top level configuration directory | 0 | 0755 | The configuration file layout is the same as would be found in a default stand-alone configuration of the Shibboleth SP software. Please refer to the Shibboleth Project SP Documentation for details. | |
/etc/shibboleth/shibboleth2.xml | Primary Shibboleth SP configuration file | 0 | 0644 | Shibboleth Project SP Documentation | |
/etc/shibboleth/attribute-map.xml | Attribute extraction/mapping configuration file | 0 | 0644 | Shibboleth Project SP Documentation | |
/etc/shibboleth/sp-encrypt-cert.pem | SAML X.509 certificate for encrypting messages sent to the SP | 999 | 0644 | ||
/etc/shibboleth/sp-encrypt-key.pem | Matching private key file | 999 | 0600 | ||
/etc/shibboleth/sp-signing-cert.pem | SAML X.509 certificate used by the SP for signing outgoing messages | 999 | 0644 | ||
/etc/shibboleth/sp-signing-key.pem | Matching private key file | 999 | 0600 |
2.4.3.4. cron
Path | Description | UID | Permission Octal | Example | Notes |
---|---|---|---|---|---|
/srv/comanage-registry/local/crontab | Crontab file configuring crond | 0 | 0644 | Example |
3. Example Deployment Files and Configurations
Click here for a list of example deployment files and configurations.